feat: add modal-edit permissions for projects milestones and tasks

2026-03-16 18:13:54 +00:00
parent f16bdd9725
commit 9e14df921e
8 changed files with 122 additions and 35 deletions
--- a/app/api/routers/misc.py
+++ b/app/api/routers/misc.py
@@ -13,6 +13,7 @@ from pydantic import BaseModel

 from app.core.config import get_db
 from app.api.deps import get_current_user_or_apikey
+from app.api.rbac import ensure_can_edit_milestone
 from app.models import models
 from app.models.apikey import APIKey
 from app.models.activity import ActivityLog
@@ -126,6 +127,7 @@ def create_milestone(ms: schemas.MilestoneCreate, db: Session = Depends(get_db),
        data["depend_on_tasks"] = None
    
    db_ms = MilestoneModel(**data)
+    db_ms.created_by_id = current_user.id
    db_ms.milestone_code = milestone_code
    db.add(db_ms)
    db.commit()
@@ -152,10 +154,11 @@ def get_milestone(milestone_id: int, db: Session = Depends(get_db)):


@router.patch("/milestones/{milestone_id}", response_model=schemas.MilestoneResponse, tags=["Milestones"])
-def update_milestone(milestone_id: int, ms_update: schemas.MilestoneUpdate, db: Session = Depends(get_db)):
+def update_milestone(milestone_id: int, ms_update: schemas.MilestoneUpdate, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
    ms = db.query(MilestoneModel).filter(MilestoneModel.id == milestone_id).first()
    if not ms:
        raise HTTPException(status_code=404, detail="Milestone not found")
+    ensure_can_edit_milestone(db, current_user.id, ms)
    for field, value in ms_update.model_dump(exclude_unset=True).items():
        setattr(ms, field, value)
    db.commit()